Police in Michigan, Wisconsin, and California can rummage through your cell phone data without a warrant (in Wisc. they technically need to prove "exigency", typically a triviality). In Mich. and Calif. citizens who refuse to allow the police to take their personal data can be arrested for obstructing an investigation. (Source: Matt York, Associated Press)

Michigan State troopers are using a device that seizes all data from smart phones. They're regularly performing the scrapes during routine traffic stops. There's no public oversight of what happens to that data. (Source: Cellebrite)

The question of whether state Supreme Courts can kill citizens' Constitutional freedoms is a one that will likely stir much debate and conflict. Ultimately, those wishing to push the nation towards a police state may find the Founding Fathers' ideas hard to kill, though. (Source: Alan Moore/David Lloyd)

Cops in Mich., Wisc., and Calif. can inspect ANYTHING on your cell phone -- pictures, call history, and more

Whether
it's real life historical regimes -- like Tojo's Imperial Rule Japan or
Italian Nationalists -- or those in fictional works -- like George Orwell's Animal
Farm or Alan Moore's V is For Vendetta -- the topic
of a fascist police state is one that has simultaneously fascinated and
frightened many.

In the United States, over the last decade police have enjoyed a growing set of
warrantless powers in the name of justice. In the last year, these powers
expanded yet again, when police in California, Wisconsin, and Michigan began
searching and seizing citizens’ cell phones -- without warrants.

I. Police Seize Citizens' Smartphones

In January 2011, California's Supreme Court ruled 5-2 that police could conduct warrantless
inspections of suspects' cell phones. According to the majority
decision, when a person is taken into police custody, they lose privacy rights
to anything they're carrying on them.

The ruling describes, "this loss of privacy allows police not only to seize
anything of importance they find on the arrestee's body ... but also to open
and examine what they find."

In a dissenting ruling, Justice Kathryn Mickle Werdegar stated, "[The
ruling allows police] to rummage at leisure through the wealth of personal
and business information that can be carried on a mobile phone or handheld
computer merely because the device was taken from an arrestee's person."

But California was not alone. Michigan State Police officers have been using a
device called Cellebrite UFED Physical Pro for the last couple years.
The device scrapes off everything stored on the phone -- GPS geotag data,
media (pictures, videos, music, etc.), text messages, emails, call history, and
more.

Michigan State Police have been reportedly regularly been scraping the phones of people they
pull over.

In neighboring Wisconsin, the state Supreme Court has
ruled that while such searches are generally illegal, their evidence
can become admissible in court if the police demonstrate an exigency (a press
need) for the information.

Essentially this ruling offers support for such searches as it indicates that
they can give solid evidence and ostensibly offers no repercussions to law
enforcement officials conducting the officially "illegal" procedure.

So far the only state to have a high profile ruling against the
practice was Ohio. The Supreme Court of Ohio ruled that warrantless smart
phone searching violated suspects' rights. The requested the U.S. Supreme
Court review the issue, but the request was denied.

II. What Does the Constitution Say?

The United States Constitution ostensibly is the most important government
document in the U.S. It guarantees essential rights to the citizens of
the U.S.

Some of those rights are specified in the Fourth Amendment, part of the
original Bill of Rights. It states:

The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon probable cause, supported by
Oath or affirmation, and particularly describing the place to be searched, and
the persons or things to be seized.

The
Constitution explicitly states that effects of a person cannot be unreasonably seized
without a warrant.

Of course courts must play the vital role of defining what a "reasonable" search is. But by extending the limits of searches to deem nearly all searches "reasonable", no matter how tenuous the connection to a suspect's detainment, this and several other decisions have created an erosion of the protections in the amendment.

Essentially what court rulings in California, Michigan, and Wisconsin indicate
is that the courts believe the Constitution is no longer valid, or that certain
Constitutional freedoms can be specially selected for elimination.

III. Benefits and Dangers

Some police officers and politicians argue that there are obvious benefits of
warrantless searches, including of cell phone data. Officers claim they can
obtain evidence that could be destroyed, concealed, or otherwise go
undiscovered if they had to go through the standard process of obtaining a
warrant.

These groups argue, "if you have nothing to hide, you have nothing to
worry about."

However, serious issues over the practice also seem apparent. For
example, police appear to be taking digital copies of the data on users' cell
phones, in addition to the applicable evidence. There is virtually no
oversight or transparency into how this data is stored or managed.

In short, citizens face a tremendous violation of privacy. They have little
recourse to take action against officers that abuse the obtained information
for business or personal purposes, as there's few laws explicitly applicable
such an issue.

The allowance also opens a gaping door to condoning police harassment of
citizens. It would be pretty easy for police to "detain" a
targeted individual on questionable charges and seize their phone.

Particularly in Michigan, the case is becoming contentious as the state is
refusing to give the ACLU information on the data it has obtained from users'
cell phones. The state has told the ACLU that it must pony
up $544,680 USD to process the records, if it wants them.

The ACLU is outraged at that exorbitant demand. Mark P. Francher, a
Michigan staff attorney with the ACLU's Racial Justice Project, states,
"Through these many requests for information we have tried to establish
whether these devices are being used legally. It’s telling that Michigan State
Police would rather play this stalling game than respect the public’s right to
know."

V. The Big Picture

Ben Franklin, in his notes to the Pennsylvania Assembly famously wrote,
"They who can give up essential liberty to obtain a little temporary
safety, deserve neither liberty nor safety."

Warrantless searches -- a critical component of any fascist police state --
were clearly deemed illegal by the founding fathers.

The police in the U.S. are being increasingly exempted from following due
process and given freedom to follow their commanders' dictates -- whatever they
may be. Meanwhile the rights and freedoms of citizens is eroding at an
equally rapid pace.

Some of these issues may end up at the U.S. Supreme Court, but the country as a
whole needs to consider and address them, as well, in the meantime.

Update 1: April 21, 2011 6:55 p.m. -

The Michigan State Police have shared with us the following statement:

Recent news coverage prompted by a press release issued by the American Civil Liberties Union (ACLU) has brought speculation and caused inaccurate information to be reported about data extraction devices (DEDs) owned by the Michigan State Police (MSP).

To be clear, there have not been any allegations of wrongdoing by the MSP in the use of DEDs.

The MSP only uses the DEDs if a search warrant is obtained or if the person possessing the mobile device gives consent. The department*s internal directive is that the DEDs only be used by MSP specialty teams on criminal cases, such as crimes against children.

The DEDs are not being used to extract citizens' personal information during routine traffic stops.

The MSP does not possess DEDs that can extract data without the officer actually possessing the owner's mobile device. The DEDs utilized by the MSP cannot obtain information from mobile devices without the mobile device owner knowing.

Data extraction devices are commercially available and are routinely utilized by mobile communication device vendors nationwide to transmit data from one device to another when customers upgrade their mobile devices.

These DEDs have been adapted for law enforcement use due to the ever-increasing use of mobile communication devices by criminals to further their criminal activity and have become a powerful investigative tool used to obtain critical information from criminals.

Since 2008, the MSP has worked with the ACLU to narrow the focus, and thus reducing the cost, of its initial Freedom of Information Act (FOIA) request. To date, the MSP has fulfilled at least one ACLU FOIA request on this issue and has several far-lower cost requests awaiting payment to begin processing. The MSP provides information in accordance with the Freedom of Information Act. As with any request, there may be a processing fee to search for, retrieve, review, examine, and separate exempt material, if any.

The implication by the ACLU that the MSP uses these devices "quietly to bypass Fourth Amendment protections against unreasonable searches" is untrue, and this divisive tactic unjustly harms police and community relations.

Note, as the ACLU and this article state, the police have to ask a citizen to get their phone during an investigation.

The police department's accounting that the device is not used during traffic stops conflicts with local reports and local testimony. It is unclear whether this is due to confusion in the department, officers breaking with protocol, or problems with eyewitness credibility.

The statement does not state whether or not charges of obstruction of justice can be filed against citizens refusing to part with their mobile devices.

It also makes it clear that the full body of the collected information has not been released, as the ACLU has accounted.

We will make more information available as we receive it.

Comments

Threshold

Username

Password

remember me

This article is over a month old, voting and posting comments is disabled

I agree with you completely. That's why I asked whether the police device would be able to break the encryption. Alternately, I could have asked whether I would be required to break the encryption for the police officers.

The police device is irrelevant to his point. If the device is left back at the Gourmet Haus Staudt...bam! That stuff is out there waiting to get hacked (that is if the thing is even locked to begin with at the time of interception).

Just like if I carried your medical records around in a briefcase. Of course the brief case is easily busted open regardless of the locking mechanism. But on the other hand, I am assuming there is A LOT more than a briefcase worth of documents on the phone.

Wouldn't your question be, "What the heck is he doing with my records in his briefcase?"

Its not the perfect comparison but you get my point right?If you want to carry the thing around the hospital that is one thing. But take it outside and that is unacceptable IMO.

quote: If you want to carry the thing around the hospital that is one thing. But take it outside and that is unacceptable IMO.

Unfortunately that's not very realistic. I work in IT for a hospital and there are many reasons that people use laptops and other mobile devices for work and take them home from work. For example, all IT staff have laptops that we use at work and also take them home every night. Why? Well, for a few reason - we are always on call (whether we like it or not), we can work from home, and because leaving laptops around the remote offices that are cleaned by outsourced companies (environmental services of the hospital only clean the main hospital - we have 30+ off site buildings and clinics). There are many reasons for each department, but I'm sure you can figure that part out.

However, we do not allow any patient data to be stored on laptops or mobile devices....well, on 99% of them anyway. There is always a small 1% of exceptions where it is possible. For example you need to be able to during a network outage, power outage, and certain vendors require that you only use their hardware and no network storage (typically smaller vendors that don't have a large support staff). We put as many programs as possible on the network through means such as Citrix, App-V, thin clients, virtual desktops, etc. In cases where the software must be locally installed, then we can resort to running the databases on SQL or Oracle servers which run at the data center as opposed to the local machine.

In todays world, the amount of patient data residing on any mobile device is next to nothing - at my facility anyway. Typically, when there is data there, it happens by accident or by people who are not computer savvy.

Also, we have our USB ports disabled by devices, so external hard drives and USB memory sticks are not recognized by the OS and users do not have the ability to install drivers to support them. We don't even allow android phones, iphones, or ipods to be connected and synced to any machine on our domain.

quote: Someone carrying around my medical records, unencrypted, on a device that is easily lost or stolen. Isn't that HIPAA violation??

No, its not a violation, unless your information is actually compromised. Obviously you've never worked in a hospital in an urban area. It's not just laptops and mobile devices that are at risk - there are people who run into clinics or the ER's and try to grab full sized desktop machines and run out the door. I would be more worried about those because many facilities still store patient data locally on hard drives because some vendors require you to run the system the way they give it to you or they will not support it - for example they will not support the system if the data lies on a NAS owned by the hospital and not the hard drive supplied by the vendor.

I work in the IT department as an analyst for a major hospital doing work in a field that goes hand in hand with what you're talking about.

We do several different things to prevent this from happening. For starters, every employee and vendor must have their own individual domain login account with passwords that must meet certain criteria and are forced to change every 90 days. All laptops are fully encrypted so that if they are stolen, they are pretty much rendered useless. Often times, they end up at a neighborhood pawn shop with a new hard drive and windows image on them or dumpster because the existing drive is useless.

Next, we do not allow any databases or patient information to be stored locally on laptops unless absolutely necessary - for example vendor software that is only sold running on their own supplied hardware and they will not support network storage as an option. All users have NAS shares that replace the local My Documents folders and the C: drives are locked down except for people with admin access - such as IT staff.

In as many cases as possible any software that needs to be accesses remotely from outside of the hospital is typically put on a virtual desktop, app-v, or citrix based solution so that the data is never stored locally. We are also starting to roll out thin clients as well. Keep in mind, you must also have a login and token to even get VPN access.

We currently are not supporting tablets like android or ipads, nor as we allowing android phones to sync with outlook calendars (and many other things like this) because of the security risks and ability for patient information to compromised.

I could go on forever with this stuff, but I assume you're catching my drift. Now, I cannot say that all places are as security and ahead of the curve like we are - most likely smaller doctors offices and the like are not. But in those things I mentioned above, we go well above and beyond what HIPPA standards are. And to make matters worse - HIPPA is so vague, that there really are no industry "standards" per say when it comes to many things that are available today like security, virtualization, encryption, etc.

Yes it is against HITECH, which is basically a supplement to HIPAA. Generally speaking most systems I've seen are server based and nothing is stored on the satellite device. It's really not that common anyhow.